Workers who need to access their work systems from their smartphone may soon be giving the finger to passwords as mobile biometrics gathers pace as a viable alternative for proving people are who they claim to be.

At least that's what could happen if enterprise IT departments respond favourably to new methods that leverage a smartphone's inbuilt sensors, such as cameras, iPhone-like fingerprint scanners, skin sensors and other biometric proof of identity.

Analyst firm Gartner says enterprise will start using biometrics soon. With consumer-owned devices set to continue invading the workplace, it expects about 30 per cent of organisations will be using biometrics to manage access from mobile devices by 2017. Today biometrics is deployed by just 5 per cent.

Cost, privacy concerns, usability and inadequate technology have constrained its adoption for enterprise, but password and token fatigue will probably change that, according to Anne Robins, Gartner Australia's research director for identity and privacy strategies.

"People are becoming increasingly dissatisfied with managing large numbers of complex passwords or using other special-purpose hardware tokens," Robins told IT Pro. "This groundswell is a strong motivation for enterprises to look to mobile biometrics, especially for customers, where an improved user experience could be a commercial differentiator."

Apple introduced its TouchID last year, a fingerprint scanner under the home button of the iPhone 5s, which lets people unlock the device and authorise iTunes and App Store purchases. Third-party developers can't use the sensor for their own apps yet, ruling it out for enterprise authentication for now. Fingerprint scanners were previously used on the Motorola Atrix smartphone and some Windows Vista laptops.

Still, Apple set the ball rolling for biometric authentication, which mobile, biometrics and authentication vendors are aiming to push beyond passports and criminal databases.

"When Apple put out TouchID, it just made the technology very cool. And everyone wants to use it. That was a big boost that the industry needed," said Sebastien Taveau, chief evangelist at Synaptics.

Synaptics supplies the bulk of touchpads used in today's laptops but last week launched its answer to TouchID, called Natural ID, a sensor it is selling to Apple's rivals.

The sensor is designed around authentication protocols being developed by the Fast IDentity Online (FIDO) Alliance, led by Google, Microsoft, BlackBerry, Lenovo, PayPal, MasterCard, RSA and a host of smaller authentication vendors.

These protocols ensure biometric and other authentication credentials stay on the device – a move meant to address credentials being stored on central servers that are all too often pilfered by hackers.

"The password is broken. A centralised database of credentials is the worst thing that can happen for authentication but it is the best thing for hackers," said Taveau.

They'd need to work quickly. "In most instance the putrefaction process starts within 10 minutes of something being dead. And then in 30 minutes the stuff is dead," said Taveau.

Modern sensors look for "blanch", the medical term for the white marks that appear after applying pressure to skin. "If you start playing around with a dead finger, guess what? You don't have a blanch."

This week, Apple was joined by the world's largest smartphone maker Samsung, which included a similar sensor to TouchID on its new Android flagship, the Galaxy S5.

Its partnership with PayPal, one of the founding members of the FIDO Alliance, lets owners make payments on PayPal with a touch of the finger. The device only shares a unique encrypted key with PayPal that allows the payments firm to verify the identity of the customer, but doesn't store biometric information on PayPal's servers.

But they're just two examples of a cluster of new authentication methods emerging for password-free access to apps and devices. Another FIDO Alliance member, EyeVerify, uses a smartphone camera for "eye print" scanning.

They also hold promise as replacements to one-time codes from RSA's SecureID tokens. RSA last year acquired PassBan, a start-up that lets users lock down Android apps with a variety of techniques, including voice, face and location. Should RSA roll the technology into its own portfolio, biometrics will more than certainly be offered to enterprise.

Despite the growing interest in mobile biometrics, it remains an emerging technology. And, since it relies on the smartphone itself, it is exposed to the same malware threats, which could mean digital biometric credentials are stolen.

Google is advancing the FIDO Alliance's goals for better online authentication with an internal trial for a prototype one-time password token from Swedish manufacturer Yubico. It improves on existing tokens by not requiring users to type in a second code. Instead, after entering a simple PIN, a person only needs to tap the authentication device, which is physically connected to a laptop or wirelessly connected to a mobile device.

"By moving out the user credentials from a phone or computer that is connected to the internet, we minimise the risk of malware taking control over the user identity and device," Yubico's chief executive and founder, Stina Ehrensvard, told IT Pro.

Its token has also been taken up by Facebook, Australian cement giant Boral, the European Organisation for Nuclear Research, and the US Department of Defence.

For now, it seems a jump to a lower-hassle but equally secure two-factor authentication method is meeting enterprise needs sufficiently and demanding big investments in experimental authentication. But that could very well change in the not too distant future.

15 comments

My phone is smart. It only works within 50 metres of the house.

Commenter

David Morrison

Location

Blue Mountains

Date and time

February 27, 2014, 3:19PM

Comparing Apple's TouchID with the swipe sensors in the old Motorola Atrix and the new Galaxy S5, is akin to comparing a modern jet (say an F/A-18) with a WW2 era piston engined fighter. It's chalk and cheese. TouchID works by using an 88x88 active matrix sensor array that emits EM waves and makes a 3d image of the skin surface on the sensor. Every review reckons it works very well, with few failures at any angle of incidence.

Swipe sensors on the other hand, take a line by line photo scan of the finger and are susceptible to large failure rates due to grease or residue on the sensor, failure to swipe in a linear motion etc. the Atrix was known to fail up to 90% of the time. This wasn't a feature but a bug.

Just having something on a spec sheet to please the geeks, doesn't mean it actually works!

Commenter

Mojo

Date and time

February 27, 2014, 4:14PM

Unfortunately Apple has only made their Fingerprint ID available to unlock and purchase for iTunes, which is disappointing, as I would like to use it for more things on my iPhone 5S.

I'm sure since the debut of the Atrix (which was 3 years ago), technology has evolved, heck, the fingerprint sensor on my laptop (which works the same way) is quite accurate, and from the videos of the S5, it seems to work well enough.

No doubt if Samsung implemented their fingerprint sensor the same way as Apple, there would be issues since Apple bought Authentec and no doubt their patents.

I'm not a fan of fingerprints, because even on my iPhone 5S, which you say is the "modern jet" it is not accurate and I ended up using pin more, as many times it did not work.

Commenter

Zac

Location

Melbourne

Date and time

February 27, 2014, 10:53PM

So I am reading this article and I ask myself: How different is this to using picture passwords in Windows 8? Both (Biometric and Picture) are easy to use and both have the same limitation when used in an enterprise environment: Active Directory does not store pictures or finger prints or iris patterns or entrails - just passwords.

So this means that once your password renewal is up, the user needs to remember their current AD password and then update it and then apply the picture/finger print/whatever after.

And all of this is based on the assumption that the tech has improved significantly in the last decade - although finger print scanning has been around a lot longer.

Commenter

IT Manager

Location

Sydney

Date and time

February 28, 2014, 9:01AM

On the other hand, I have a swipe sensor on the Lenovo laptop (2011 model) that I am writing this on, that is about the size of the one on the Galaxy S5. I successfully log on with it first time every single day. Who would have thought? Have you tried the S5?

Commenter

Dags

Date and time

February 28, 2014, 3:02PM

There is no science on fingerprints been unique...no one has ever done scientific research.. it is just a proposal by Galton "no two fingerprints are identical".. if it is scientific please can anyone name the science researcher that found that finger prints are unique? also please state which sample data was used and in how many countries?

Commenter

Andy

Location

Canberra

Date and time

February 27, 2014, 6:12PM

Well police enforcement used to identify people with finger print ID, why would they still take fingerprint after a crime scene as well?

You're absolutely right Andy. There is no evidence just a low statistical probability that this is the case. In the Documentary by CBC Frontline in 2012 "The Real CSI" it explores the various issues associated with fingerprint data, establishing a standardised assessment methodology and the influence of operator error.

Yet the myth that fingerprints are an irrefutable form of biometeric data carries on despite the science sometimes seeming tenuous or at the least capable of large errors.

The problem is unlikely to affect devices but in the case of the Madrid Terror Bombings the attorney Brandon Mayfield who was held as material witness was hammered simply for having similar fingerprints to another known terrorist. The machines and then people evaluating those fingerprints were all highly skilled but even they made mistakes.

I'm not a fan of biometeric data collection. Its all fine until someone uses the data nefariously or everything pertaining to your identity goes pearshaped.

Commenter

MattG

Date and time

February 28, 2014, 2:56PM

I'd be keen to try out the fingerprint scanner on the Galaxy S5.I currently have an iPhone 5s and the scanner only works about 50% of the time.So much so that I now just swipe and enter the password - can't be bothered trying and failing with my finger half the time.

Commenter

James

Location

Sydney

Date and time

February 28, 2014, 9:39AM

In the past I would have been interested in new tech like this coming out. Now I just think "what will the NSA do?".

Subscribe to IT Pro

Editor's Choice

Prime Minister Tony Abbott has bolstered Malcolm Turnbull's ministerial duties, handing him greater responsibility for e-government in a push to expand the use of a single digital identity for Australians.

Data

The new roof that spans Margaret Court arena does more than keep out the weather. Built into the gantries that surround the sliding ceiling are Wi-Fi antennas that beam web access to every ticket holder.